diff --git a/os/password/default.nix b/os/password/default.nix
index 4cfa97e..79ef330 100644
--- a/os/password/default.nix
+++ b/os/password/default.nix
@@ -120,12 +120,14 @@ in
 
               ${lib.strings.concatLines (builtins.map syncPasswordStore passwords)}
 
-              comm -23 <(sudo find ${passwordStoreDir} -type f | sort) <(echo ${lib.strings.escapeShellArg (lib.strings.concatLines allFilenames)} | sort) | while read -r file
+              comm -23 <(sudo find ${passwordStoreDir} -type f -ctime +60 | sort) <(echo ${lib.strings.escapeShellArg (lib.strings.concatLines allFilenames)} | sort) | while read -r file
               do
                 echo Removing "$file" from password store
                 sudo rm "$file"
               done
             '';
+            # -ctime +60 is so it is possible to boot from previous nixpkgs without missing transform hashes
+            # TODO Find a better mechanism, maybe à la bootspec, or something compatible with cross-arch
           })} $out/bin/
         '';
     };